Which versions of getd-content-management are malicious?

The following npm versions of getd-content-management are flagged malicious: 0.0.1. Treat any of these as compromised.

How do I remediate getd-content-management if I installed it?

Remove getd-content-management from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is getd-content-management part of a known attack campaign?

Yes — getd-content-management is associated with the IN-MAL-2026-005199, IN-MAL-2026-005200 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect getd-content-management in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking getd-content-management and packages like it before any post-install script runs.

Malicious package

getd-content-managementnpm

Malicious code in getd-content-management (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5465

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall getd-content-management

What this malware does

The unscoped package name 'getd-content-management' impersonates the legitimate @getd/* npm scope (acknowledged in the package's own README). On npm install, the postinstall.js lifecycle script collects host identifiers via os.hostname(), os.userInfo().username, os.platform(), process.cwd(), and CI-related environment variables (CI, BUILD_BUILDID, AGENT_NAME), and transmits them as query-string parameters in an HTTPS GET request to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 — a generic third-party request-capture service unrelated to any publisher infrastructure. Errors are silently swallowed so the installer sees no indication the call occurred. The combination of name-confusion against an existing scope and silent install-time beaconing of internal hostnames, user accounts, build paths, and CI agent identity to an attacker-controlled capture URL is operationally indistinguishable from a malicious typosquat regardless of how the README frames the behavior.

Malicious versions

1 flagged

0.0.1

Indicators of compromise (SHA-256)

44eb41541c340c710ad8afc366ab4642d3809d8d9afef53b99e3704b9dfb684b

efaa0ace9a4e74cb70a973143ccb7abd217de77d7fcd7bb588536de79c3d360c

Frequently asked questions

No. getd-content-management on npm has been identified as a malicious package (version 0.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005199IN-MAL-2026-005200

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection